Law Firms Must Get to the Rootkit of Security Breaches

Does your firm’s IT department know what a rootkit is? And, more importantly, are they prepared to defend sensitive client data from a host of extremely sophisticated and stealthy rootkit attacks launched by hackers, cybercriminals, rogue hacktivists and even foreign governments?

The importance of boosting law firm defenses against these nasty pieces of computer code was the topic of an ABA Techshow session today that followed an FBI-hosted meeting in February with New York City’s top law firms to warn that they are soft, data-rich targets for those seeking sensitive client data.

During the session titled “Anatomy of a Law Firm Security Breach,” speakers John W. Simek, vice president of Sensei Enterprises, and Dave G. Ries, a partner at Thorp Reed & Armstrong, told attendees that rootkit attacks hide malicious resources and processes that can capture passwords, screen shots and files and secretly send them through a newly created backdoor to its launcher. As an added threat, the data is encrypted so that once it starts flowing out of a computer system, there is no way to identify exactly what information has been stolen.

Because of these techniques, 60 percent of security attacks are not detected until months or years after the fact, according to a Verizon 2012 data breach investigations report.

A few of the most advanced and stealthiest malware threats to firms include Mebroot, Tidserv and Mebratix. And with the growing population of Apple-product users, all users should be alert for potential security threats. Would-be threat launchers don’t even need a lot of knowledge to launch an attack (though they might get plenty from online forums or firm websites) thanks to the availability of attack kits, which can write code for inexperienced hackers, according to the duo.

Although some firms and lawyers may feel defenseless against super-sophisticated attacks, they shouldn’t disregard the importance of basic defenses. Ries likened this behavior to protecting your home from a potential robbery.

“A determined burglar can get in, but you should still lock your doors and get an alarm system depending on where you are. Don’t turn off the alarm, unlock the door and hang a sign that says: ‘Welcome Burglars!’, which is what we’re seeing some law firms do,” Ries said. He noted that law firms are seen as easier targets for the information their more security-minded clients provide.

Secunia, a company that aggregates alerts to vulnerabilities and patches to protect sensitive data within existing security systems, was one resource recommended by the speakers.

“As regularity compliance requirements have grown to include smaller entities, there’s been an expansion in the availability of more affordable services and appliances for smaller law firms,” Ries said.

And, while technological precautions are important, most law firms overlook the importance of training staff to prevent attacks and game plans to best handle a breach within the firm, to clients and in the media.

“Technology is important,” Ries said, “but if [lawyers] don’t address the other parts, particular the people, [the tech] is likely to fail.”